A security team is creating an incident response plan. Which scenario should trigger activation of the full incident response team?

  1. An email filters out a phishing attempt
  2. A user reports receiving a suspicious email
  3. Unauthorized access to multiple systems is confirmed ✓
  4. A single workstation has a malware infection

Correct answer: Unauthorized access to multiple systems is confirmed

Option C is correct because confirmed unauthorized access across multiple systems indicates an active, high-severity incident with broad organizational impact, meeting the threshold for full incident response team activation as defined in most IR frameworks such as NIST SP 800-61. Option A is incorrect because a phishing email being caught by a filter is a routine security event that was successfully blocked and does not require escalation beyond monitoring. Option B is incorrect because a user reporting a suspicious email is a low-severity precursor that warrants investigation by a tier-1 analyst but not full team activation until malicious activity is confirmed. Option D is incorrect because a single workstation malware infection, while serious, is typically handled by a smaller response team or standard remediation procedures unless lateral movement or escalation is detected.

Topic: · incident response, cysa+, escalation criteria, threat triage

Practice CompTIA CySA+ (CS0-003) Questions Free